When a network login client fails authentication, it is moved to authentication failure VLAN (Virtual LAN) and given restricted access.
To configure the authentication failure VLAN, use the following commands:
configure netlogin authentication failure vlan
unconfigure netlogin authentication failure vlan
enable netlogin authentication failure vlan ports
disable netlogin authentication failure vlan ports
Use the command enable netlogin authentication failure vlan to configure authentication failure VLAN on network-login-enabled ports. When a supplicant fails authentication, it is moved to the authentication failure VLAN and is given limited access until it passes the authentication.
Through either a RADIUS (Remote Authentication Dial In User Service) or local server, the other database is used to authenticate the client depending on the authentication database order for that particular network login method (mac, web, or dot1x). If the final result is authentication failure and if the authentication failure VLAN is configured and enabled on that port, then the client is moved there.
For example, if the network login MAC authentication database order is local, radius and the authentication of a MAC client fails through local database, then the RADIUS server is used to authenticate. If the RADIUS server also fails authentication, the client is moved to the authentication failure VLAN. This applies for all authentication database orders (radius,local; local,radius; radius; local).
In the above example if authentication through local fails but passes through the RADIUS server, the client is moved to appropriate destination VLAN. If the local server authentication fails and the RADIUS server is not available, the client is not moved to authentication failure VLAN.
Only when Radius Access-Reject is received, the client moves to auth fail vlan in Netlogin Mac. 802.1x Authentication: Client will move to auth fail vlan for access rejection and for cases where Radius Access Challenge is received without reject from the Radius Server. After the expiration of the timeout period, client will move to auth fail vlan.